Magecart strikes again: targets Shopper Approved eCommerce websites

by Olivia Morelli - -

Magecart rewrote the script of the plugin provided by Shopper Approved

Shopper Approved data breach

The notorious hacker group Magecart organized a new malware attack, this time targeting an online web company Shopper Approved which specializes in providing rating seals for online shops for customers to vote.

RiskIQ security researchers, who have been following Magecart's actions for the past few months, issued a report providing details of the attack.[1] As it turns out, the hack did not affect the website of Shopper Approved itself, but instead targeted eCommerce partners. Cybercriminals used the same method when targeting Ticketmaster, British Airways[2] and NewEgg:

Similar to the attack against Ticketmaster, this attack did not impact a single store directly. Instead, it attempted to skim payment information from multiple online stores at once by compromising a widely used third party.

While the scale of the breach did not manage to reach that of a Ticketmaster[3] or British Airways, it is apparent that Magecart skimming operations will not stop and we can expect more large-scale breaches in the future.

The last attack was less impactful – taken down within two days

The incident occurred on 15th of September when Magecart managed to access the company's internal server and inject a malicious skimming[4] code into a file located in https://shopperapproved.com/seals/certificate.js which used the same drop server as the one in Feedify breach. However, according to researchers, hackers made a mistake when implanting the code and forgot to obfuscate the skimmer, replacing it with the correct version 15 minutes later.

The code was modified several times, before it was taken down on September 17th, as soon as RiskIQ researchers contacted the company. Shopper Approved immediately launched an internal investigation to found out more about who was affected by the data breach.

The overall impact of the attack was relatively small, as the skimmer was detected and removed quickly. Additionally, while the widget is active on many shopping sites, only a small fraction of those was affected. The exact number of affected customers is unknown, but experts believe data of around a few hundred people was stolen. 

However, the main reason why the attack was such a low scale is that most of high profile shopping carts block external scrips from running on the checkout page, which is a good practice. Additionally, the skimmer was only triggered on pages that contained specific keywords within the website address. 

Magecart is just a part of a large-scale scheme in data harvesting

2018 has been an active year for hackers, and Magecart, in particular, shines in this business. According to Softpedia, 4.5 billion records were stolen during the first six months of the year alone, which comes down to 133% increase comparing it to last year record.[5]

More and more companies are digitalizing their systems, storing details of millions on large databases. However, with the innovation comes the great risk: cybercriminals are ready to take a portion of personal data and turn it in a successful, but malicious, business. 

Therefore, companies should take actions to prevent the large-scale data breaches, especially with groups like Magecart improving their techniques and learning new tricks of avoidance. The final word of advice from RiskIQ researchers:

If you own an e-commerce company, it’s a best practice to remove the third-party code from your checkout pages whenever possible. Many payment service providers have already taken this approach by prohibiting third-party code from running on pages where customers enter their payment information.

About the author

Olivia Morelli
Olivia Morelli - Ransomware analyst

Olivia Morelli is News Editor at 2-Spyware.com. She covers topics such as computer protection, latest malware trends, software vulnerabilities, data breaches, and more.

Contact Olivia Morelli
About the company Esolutions

References